refactor admission flag

[hzxuzhonghu]

What this PR does / why we need it:

Refactor admission control flag, finally make cluster admins not care about orders in this flag.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

Add `--enable-admission-plugin` `--disable-admission-plugin` flags and deprecate `--admission-control`.
Afterwards, don't care about the orders specified in the flags.

[hzxuzhonghu]

/assign @sttts
Just open up this to have a model to discuss.

[k8s-ci-robot]

@hzxuzhonghu: GitHub didn't allow me to request PR reviews from the following users: polynomial.

Note that only kubernetes members can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @polynomial

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hzxuzhonghu]

/cc @p0lyn0mial

[liggitt]

/assign @deads2k

[sttts]

typographical nit: space after 1.

[hzxuzhonghu]

make sense

[sttts]

call this seenPlugins and move it nearer to the loop

[hzxuzhonghu]

ok

[sttts]

unorderedEnabledPlugins is a better name

[hzxuzhonghu]

ok

[sttts]

the whole loop can be replaced with enabledPlugins := sets.NewString(a.PluginNames).Union(sets.NewString(a.DefaultEnabledPlugins)))

[hzxuzhonghu]

No, here I intended to do by iteration, because if --admission-control=a,b,c,d,e,f,g , and RecommendedPluginOrder does not contain some of admission-control, I want to use specified order.

[sttts]

See below, I don't think we should support plugins that are not in the order.

[hzxuzhonghu]

Then all the existing plugins should be in the ordered list. We can discuss a reasonable order.

[sttts]

The default order is here: https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use

[sttts]

should we warn or even error out if plugins are missing in the order?

[hzxuzhonghu]

if RecommendedPluginOrder contains all plugins, this will not need anymore.

[sttts]

The order is given by the programmer of the apiserver. We should still error out as it is an programmer error.

[hzxuzhonghu]

Got it.

[sttts]

I tend to expect an error instead of appending them blindly. @deads2k opinion?

[hzxuzhonghu]

Same as above #58123 (comment)

[sttts]

This is the list of manually enabled plugins. We also need the inverse: manually disabled plugins. Otherwise, you can never disable a plugin in DefaultEnabledPlugins.

[hzxuzhonghu]

Do we have the need to disable DefaultEnabledPlugins? If we do , then either add a new flag --disable-admission-plugin or set DefaultEnabledPlugins nil can solve this issue.

[sttts]

DefaultEnabledPlugins will not be exported as flag. So I guess we need --disable-admission-plugin.

About the need: DefaultEnabledPlugins will include 90% of the available plugins in kube-apiserver. So users will want to disable some.

[hzxuzhonghu]

If so, user must --disable-admission-plugin. which may be a burden for cluster admins?

[sttts]

the normal case is that the admin leaves all on. If he switches some off or on, he has very good reasons (hopefully). So an additional arg is fine.

[hzxuzhonghu]

That's ok if default enabled plugins not influence the cluster bootstrap.

[hzxuzhonghu]

ping @sttts updated

[liggitt]

Isn't it odd to wrap the existing recommended order like this and then override it later? It assumes things about the previous content of that var.

[liggitt]

For a coherent order, I think all should be specified here at once

[hzxuzhonghu]

SGTM

[liggitt]

Can't just drop this name or we break any invocation using it. Can deprecate it (and probably should, along with some others)

[hzxuzhonghu]

I see.

[liggitt]

Same here. Can't drop, can consider deprecating

[liggitt]

which of these are deprecated? Just PluginNames, right? Clarify that in the comment

[liggitt]

Also, should the old flag and the new flags be mutually exclusive? I don't think allowing both makes sense. Or, should we expand the existing flag to allow --admission-plugin=+foo,-bar format?

[hzxuzhonghu]

Yes, If both flags are specified, only the old flag is valid.

[liggitt]

This is unclear… if you specify this, is it in addition to default-enabled plugins, or does it override?

[liggitt]

Ah, the flag name ("enable") is better than the variable name ("enabled"). Should still clarify in the help that this is in addition to any enabled-by-default plugins

[hzxuzhonghu]

OK

[liggitt]

Should error if they specify the same plugin in enable and disable flags

[hzxuzhonghu]

make sense, check it in Validate should be ok.

[liggitt]

I think the old and new flags should be mutually exclusive (and error if both are used)

[hzxuzhonghu]

ok. I will check them in Validate

[liggitt]

Revert all these… they should continue to function

[hzxuzhonghu]

ok

[sttts]

When you change default flags like this you need to broadcast to other sigs.

I agree that the communication was lacking. But at least the old behaviour is not removed and still works.

[deads2k]

Did any of these changes percolate through all the other tools?

/cc @kubernetes/sig-cluster-lifecycle-pr-reviews

When you change default flags like this you need to broadcast to other sigs.

Default flags were not changed for any process we ship. A couple new flags were added, with appropriate help, but nothing was removed and no default values were changed.

[christianhuening]

Just had unknown flag: --enable-admission-plugin with the latest quay.io Image for 1.10.0. Could it be that the flag didnt make it somehow?

[hzxuzhonghu]

What image, I can look into it.

[christianhuening]

@hzxuzhonghu quay.io/hyperkube:v1.10.0_coreos.0

[hzxuzhonghu]

@christianhuening I have looked into it, and find it has it.

./hyperkube apiserver --help |grep enable-admission
      --enable-admission-plugins strings                        admission plugins that should be enabled in addition to default enabled ones. Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, InitialResources, Initializers, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.

[hzxuzhonghu]

And my image is

root@SZX1000353068:/mnt/go/src/k8s.io/kubernetes# docker images |grep hyper
quay.io/coreos/hyperkube                                               v1.10.0_coreos.0              aa96c9b05b70        39 hours ago        667MB

[christianhuening]

@hzxuzhonghu ohh yeah you're right. The Changelog for 1.10 misses the trailing "s" in "plugins" . Here: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.10.md#deprecations

Sorry.

[hzxuzhonghu]

ok, that's an issue, will fix it now.

[mrmm]

Implemented for Kops in kubernetes/kops#5221 .

Cheers 🍻